| Message ID | 97a6a1c557f0f1e6d55d8d09b326f8b1@nuclearcat.com |
|---|---|
| State | Awaiting Upstream, archived |
| Delegated to: | David Miller |
| Headers | show |
On Mon, Nov 28, 2016 at 12:45:59PM +0200, Denys Fedoryshchenko wrote: > Hello, > > I noticed that if i specify -j SNAT with options --random --random-fully > still it keeps persistence for source IP. So you specify both? > Actually truly random src ip required in some scenarios like links balanced > by IPs, but seems since 2012 at least it is not possible. > > But actually if i do something like: > --- nf_nat_core.c.new 2016-11-28 09:55:54.000000000 +0000 > +++ nf_nat_core.c 2016-11-21 09:11:59.000000000 +0000 > @@ -282,13 +282,9 @@ > * client coming from the same IP (some Internet Banking sites > * like this), even across reboots. > */ > - if (range->flags & NF_NAT_RANGE_PROTO_RANDOM_FULLY) { > - j = prandom_u32(); > - } else { > - j = jhash2((u32 *)&tuple->src.u3, sizeof(tuple->src.u3) / sizeof(u32), > + j = jhash2((u32 *)&tuple->src.u3, sizeof(tuple->src.u3) / sizeof(u32), > range->flags & NF_NAT_RANGE_PERSISTENT ? > 0 : (__force u32)tuple->dst.u3.all[max] ^ zone->id); > - } > > full_range = false; > for (i = 0; i <= max; i++) { > > It works as intended. But i guess to not break compatibility it is better > should be introduced as new option? > Or maybe there is no really need for such option? Why does your patch reverts NF_NAT_RANGE_PROTO_RANDOM_FULLY?
--- nf_nat_core.c.new 2016-11-28 09:55:54.000000000 +0000 +++ nf_nat_core.c 2016-11-21 09:11:59.000000000 +0000 @@ -282,13 +282,9 @@ * client coming from the same IP (some Internet Banking sites * like this), even across reboots. */ - if (range->flags & NF_NAT_RANGE_PROTO_RANDOM_FULLY) { - j = prandom_u32(); - } else { - j = jhash2((u32 *)&tuple->src.u3, sizeof(tuple->src.u3) / sizeof(u32), + j = jhash2((u32 *)&tuple->src.u3, sizeof(tuple->src.u3) / sizeof(u32), range->flags & NF_NAT_RANGE_PERSISTENT ? 0 : (__force u32)tuple->dst.u3.all[max] ^ zone->id); - } full_range = false;
Hello, I noticed that if i specify -j SNAT with options --random --random-fully still it keeps persistence for source IP. Actually truly random src ip required in some scenarios like links balanced by IPs, but seems since 2012 at least it is not possible. But actually if i do something like: for (i = 0; i <= max; i++) { It works as intended. But i guess to not break compatibility it is better should be introduced as new option? Or maybe there is no really need for such option?